Am 17.07.2013 20:08, schrieb Rick Stevens:
> On 07/17/2013 08:36 AM, Reindl Harald issued this missive:
>> *no they are not*
>> otherwise my /var/log/maillog on my workstation would not have 644
>
> The correct thing to say is "if syslog(whatever) has to CREATE the file,
> it will not have world-readable set. Once the file is created, syslog*
> won't change the permissions
that's the detail
> I can't speak to what logrotate will do to them, however.
i did: "otherwise my /var/log/maillog on my workstation would not have 644"
this is "logrotaded" - logrotate keeps the permissions/owner/group if
not specified like below (which is my own config-piece)
/var/log/scriptlog {
missingok
notifempty
size 30k
create 0644 root root
}
take a look at the files in /etc/logrotate.d/ and you can see
what happens to every single file at rotate
>>> AFAIU, the reason the logs are owned by root is because it is written by
>>> syslog (which runs as root). The motivation I think is, the logs should
>>> remain untampered if your system is compromised
>>
>> how does chmod 644 affect *write* permissions?
>
> It is not who writes to it that sets the permissions and ownership,
> it's who creates the file in the first place
i referred to "logs should remain untampered if your system is compromised"
> It is created by a
> root process (syslog-whatever) and most of them have 600 permissions
> (rw-------). You can change it later if you so wish, but there are
> security issues if you give them world-readable (xx4) permissions
surely, but that is a different topic and depens on the usecase of the machine
Attachment:
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
